Debian Security Advisory
DSA-3643-1 kde4libs -- security update
- Date Reported:
- 06 Aug 2016
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 832620.
In Mitre's CVE dictionary: CVE-2016-6232.
- More information:
Andreas Cord-Landwehr discovered that kde4libs, the core libraries for all KDE 4 applications, do not properly handle the extraction of archives with "../" in the file paths. A remote attacker can take advantage of this flaw to overwrite files outside of the extraction folder, if a user is tricked into extracting a specially crafted archive.
For the stable distribution (jessie), this problem has been fixed in version 4:4.14.2-5+deb8u1.
For the unstable distribution (sid), this problem has been fixed in version 4:4.14.22-2.
We recommend that you upgrade your kde4libs packages.